codebase-to-course-cn
PassAudited by ClawScan on May 14, 2026.
Overview
This skill appears purpose-aligned: it reads a user-chosen codebase and creates a local HTML course, with expected local file, shell, and private-code exposure considerations.
Use this skill only on codebases you are comfortable letting the agent read and summarize. Review the generated HTML and briefs before sharing them, and do not grant unrelated credential or purchase permissions if any UI asks for them because the provided artifacts do not show a need for those capabilities.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less external context for who maintains the skill or where its helper files originated.
The skill includes helper files but lacks an external source/homepage for provenance verification. This is a provenance note, not evidence of malicious behavior.
Source: unknown; Homepage: none
Prefer trusted publishers when possible, and review bundled helper files before relying on the skill for sensitive repositories.
The agent can inspect the chosen repository, including private or sensitive source files if they are present.
The agent may clone a user-provided repository or read the current working directory. This is central to converting a codebase into a course, but it is still broad codebase access.
如果用户提供 GitHub 链接,在开始分析之前先克隆仓库(`git clone <url> /tmp/<repo-name>`)。如果他们说"此代码库"...使用当前工作目录。
Run it only on repositories you are allowed to analyze, and avoid pointing it at directories containing secrets or unrelated private files.
A local shell command will write or overwrite the generated index.html inside the course directory.
The skill instructs running a local shell script to assemble the course. The provided script only concatenates local HTML files into index.html.
cat _base.html modules/*.html _footer.html > index.html
Run the build script only from the generated course directory and review any modified helper script before executing it.
Generated course files may contain proprietary architecture details or source snippets from the analyzed codebase.
For complex codebases, the skill persists extracted code snippets and course summaries in local output files. This is purpose-aligned but can retain sensitive project details.
将简报写入 `course-name/briefs/0N-slug.md`,包含:... 预提取的代码片段
Review the generated course and briefs before sharing them, and remove secrets, credentials, or proprietary snippets if they were included.